The trends for HS and Dropout are also negative. To me it implies education across the board is getting worse (assuming IQ is a good measure of “good” education).
> But most people aren't YouTubers. In my experience, people who aren't into tech usually have no idea their upload speeds are any slower than their download speeds, much less 25 times slower.
People who aren’t into tech aren’t trying to fine tune Llama2 and then upload it to a cloud machine
Getting out of bed and "real stuff" is supposed to be part of a pentest.
The problem is more the sheer amout of stuff your are supposed to know to be a pentester. Most pentesters come into the field by knowing a bit of XSS, a few thing about PHP, and SQL injections.
Then you start to work, and the clients need you to tests things like:
- compromise a full Windows Network, and take control of the Active Directory Server. Because of a misconfiguration of Active Directory Certificate Services. While dealing with Windows Defender
- test a web application that use websockets, React, nodejs, and GraphQL
- test a WindDev application, with a Java Backend on a AIX server
- check the security of an architecture with multiple services that use a Single Sign on, and Kubernetes
- exploit multiple memory corruption issues ranging form buffer overflow to heap and kernel exploitation
- evaluate the security of an IoT device, with a firmware OTA update and secure boot.
- be familiar with cloud tokens, and compliance with European data protection law.
- Mobile Security, with iOS and Android
- Network : radius, ARP cache poisoning, write a Scapy Layer for a custom protocol, etc
- Cryptography, you might need it
Most of this is actual stuff I had to work on at some point.
Nobody knows everything. Being a pentester is a journey.
So in the end, most pentesters fall short on a lot this. Even with an OSCP certification, you don't know most of what you should know.
I heard that in some company, people don't even try and just give you the results of a Nessus scan.
But even if you are competent, sooner or later, you will run into something that you don't understand. And you have max 2 week to get familiar with it and test it. You can't test something that you don't understand.
The scanner always gives you a few things that are wrong (looking at you TLS ciphers).
Even if you suck, or if the system is really secure. You can put a few things into your report.
As a junior pentester, my biggest fear was always to hand an empty report. What were people going to think of you, if you work 1 week and don't find anything?
>As a junior pentester, my biggest fear was always to hand an empty report.
I'm trying to remember the rule where you leave something intentionally misconfigured/wrong for the compliance people to find and that you can fix so they don't look deeper into the system. A fun one with web servers is to get them to report they are some ancient version that runs on a different operating system. Like your IIS server showing it's Apache 2.2 or vice versa.
But at least from your description it sounds like you're attempting to pentest. So many of these pentesting firms are click a button, run a script, send a report and go on to the 5 other tickets you have that day type of firms.
I think the concern is more about the theatre of most modern pen-testing rather than expecting deep bug-bounty work. I'm not a security expert either, but I've had to refute "security expert" consultations from pen-test companies, and the reports are absolutely asinine half the time and filled with so many false positives due to very weak signature matching that they're more or less useless and give a false sense of security.
For example, dealing with a "legal threat" situation with the product I work on because a client got hit by ransomware and they blame our product because "we just got a security assessment saying everything was fine, and your product is the only other thing on the servers" -- checked the report, basically it just runs some extremely basic port checks/windows config checks that haven't been relevant for years and didn't even apply to the Windows versions they had, and in the end the actual attack came from someone in their company opening a malicious email and having a .txt file with passwords.
I don't doubt there are proper security firms out there, but I rarely encounter them.
That’s interesting. I thought maybe it’s a resource constraint issue, where companies prioritise investment in other areas and do the minimum to “get certified” but it sounds like finding a good provider can be extremely difficult.
Real stuff should always be a pentest - penetration test where one is actively trying to exploit vulnerabilities. So person who orders that gets report with !!exploitable vulnerabilities!!.
Checking all common attack vectors is vulnerability scanning and is mostly running scanner and weeding out false positives but not trying to exploit any. Unfortunately most of companies/people call that a penetration test, while it cannot be, because there is no attempt at penetration. While automated scanning tools might do some magic to confirm vulnerability it still is not a penetration test.
In the end, bug bounty program is different in a way - you never know if any security researcher will even be interested in testing your system. So in reality you want to order penetration test. There is usually also a difference where scope of bug bounty program is limited to what is available publicly. Where company systems might not allow to create an account for non-business users, then security researcher will never have access to authenticated account to do the stuff. Bounty program has also other limitations because pentesting company gets a contract and can get much more access like do a white box test where they know the code and can work through it to prove there is exploitable issue.
As in every industry there are cheapskates, and especially in pentesting it is often hard for the customer to tell the good ones from the bad ones. Nevertheless, I think that you have never worked with a credible pentesting vendor. I am doing these tests for a living and would be ashamed to deliver anything coming near your description :-)
Bug bounty programs are a nightmare to run. For every real bug reported you’ll get thousands of nikto pdfs with CRITICAL in big red scare letters all over them. Then you’ll get dragged on twitter constantly for not being serious about security. Narrowing the field to vetted experts will similarly get you roasted for either having something to hide or not caring about inclusion. And god help you if you have to explain that you already knew about a bug reported by anyone with more than 30 followers…
There are as many taxonomies of security services as there are companies selling them. You have to be very specific about what you want and then read the contract carefully.
pentest means penetration testing which mean one need to take the attacker hat and try to enter your network or the app infrastructure and get as much data as he can, be it institutionnal or customer data. It can be through technical means as well as social engineering practices. And then report back.
This is in no way related to a bug bounty program.
Counter point: Most of the top rated Bug Bounty hunters have a background in penetration testing.
I think it's more accurate to say Bug Bounty only covers a small subset of penetration testing (mainly in that escalation and internal pivoting are against the BB policy of most companies).
What is a state prosecutor going to prosecute microsoft on? Vague T&C? As great as it may sound having the state going around proactively enforcing T&C of every product is not going to be effective or fair.
In the U.S., it is at least possible to avoid such double taxation (but only in some situations -- i.e. you were itemizing anyway instead of taking the standard deduction, and you live in a state with no income tax). https://ttlc.intuit.com/turbotax-support/en-us/help-article/...
I'm (Dutch) self-employed, which means I have my own one-man company, and as such, I can get my VAT back for stuff I buy for my business. Of course I also have to charge VAT for my services again, so that's expected to include the VAT for the stuff I bought.
But it does create a massive tax loophole: because I'm a software developer, I can deduct the costs of any computer I buy, but nobody is checking whether I actually use it for work or for gaming. I can deduct work lunches, but employees can't. I know someone who deducted his motorbike because he also used it for work. I can deduct phone and internet costs because I also use them for work.
I find the way I can avoid some taxes that others can't, rather questionable. Frankly, everybody should have their own company to avoid this inequality. And the stuff I can deduct is small potatoes compared to the stuff I'm sure some other people are deducting. I'm no tax expert, but I'm sure this is a big part of why billionaires pay so little tax.
Also, companies on the edge of the health care system have a problem, because health care is VAT free, so health care companies cannot get the VAT back they have to pay to their suppliers, which makes suppliers of services to the healthcare industry effectively more expensive than they should be. I think this whole system is in dire need of an overhaul.
You’ll find you’re not the first person who has discovered that you can cheat on your taxes by expensing personal purchases and by deducting things you are explicitly not allowed to deduct. The government’s inability to cheaply audit people like you means you won’t get in trouble. Your gut feeling that “it’s questionable” is right. Accountants lie about what deductions are allowed because they know the way to get happy customers is by producing tax savings, even where none exist. Just look up the tax laws for yourself and you’ll find that the “massive loophole” doesn’t exist.
But this isn't even cheating; this is stuff I am allowed to deduct. My accountant keeps bringing them up, and he's not the kind to cheat on this stuff. Other clients of his have been audited and received compliments for how well their stuff was in order. There are apparently very good reasons why this can be deducted. If the massive loophole doesn't exist, it's because it works as intended and is not a loophole at all, but to me it feels like a very grey area, because I don't think employees can't deduct all of this stuff.
And I'm certainly not going to look up tax laws; that's exactly what I'm paying my accountant for.
Your accountant is 100% wrong. If you buy a computer and use it 20% for work and 80% for hobby stuff or gaming then you can deduct it for 20%. That's the law. This takes 30 seconds to google and your refusal to do so is mystifying because your accountant isn't liable for filing your taxes wrong, you are.
Your accountant keeps bringing deductions up because he wants you to feel he's worth his fees. That's why literally every accountant I've ever worked with has told me that "a good accountant pays for himself". Accountants compete with each other based on how much they can lower your tax bill. So yes, of course they'll help you make unlawful tax deductions, and they'll reassure you that it's perfectly fine and that they have many years of experience etc etc.
Yes, and I'll do you one better: everybody should have their own company and there should be no "employee" option. Everything should be contracts. Makes it clearer it's not a family relationship, it's business.
Look at it from the viewpoint of someone with sufficient wealth: income taxes are wonderful, because they only apply to realised income. (and there is a whole cottage industry devoted to ways to cumulate gains without realising income)
